STIGhubSTIGhub
STIGsSearchCompare

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • Release Notes
  • VPAT
  • DISA STIG Library
STIGs updated 3 hours ago
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide

V-258844

CAT III (Low)

The Photon operating system must allocate audit record storage capacity to store audit records when audit records are not immediately sent to a central audit record storage facility.

Rule ID

SV-258844r933593_rule

STIG

VMware vSphere 8.0 vCenter Appliance Photon OS 4.0 Security Technical Implementation Guide

Version

V1R1

CCIs

CCI-001849

Discussion

Audit logs are most useful when accessible by date, rather than size. This can be accomplished through a combination of an audit log rotation and setting a reasonable number of logs to keep. This ensures that audit logs are accessible to the ISSO in the event of a central log processing failure.

Check Content

At the command line, run the following command to verify auditd is configured to keep a number of audit logs in the event of a central log processing failure:

# grep -E "^num_logs|^max_log_file_action" /etc/audit/auditd.conf

Example result:

num_logs = 5
max_log_file_action = ROTATE

If "num_logs" is not configured to "5" or greater, this is a finding.
If "max_log_file_action" is not configured to "ROTATE", this is a finding.

Fix Text

Navigate to and open:

/etc/audit/auditd.conf

Ensure the following lines are present, not duplicated, and not commented:

num_logs = 5
max_log_file_action = ROTATE

At the command line, run the following command:

# pkill -SIGHUP auditd